"Culture drives great results.” ~Jack Welch
“Treasures of wickedness profit nothing: but righteousness delivereth from death.” ~Proverbs 10:2
Recall the last time you engaged in your organization’s annual budget process. If you are like many Chief Compliance Officers, your Chief Financial Officer probably wasn’t offering huge increases in your budget. In fact, you were likely asked (or told) how much of a budget reduction target you would be expected to achieve in 2014. It’s enough to make you want to declare, “Really?!?”
In this era of exponential increases in domestic and international regulatory compliance obligations, we are planning strategically to meet the monitoring and reporting challenges with enhanced governance, efficient technology applications, and increased staffing. Yet we are frequently challenged financially to justify our alleged expense-side burden on the income statement, while our revenue-producing friends across the income statement aisle often escape the budgeting process unscathed—or even emboldened. We must partner with them.
Why do I believe that we must engage our colleagues in Sales & Marketing to share our commitment to enterprise-wide regulatory compliance? Well, it certainly begins with the “tone at the top” set in the C-suite, thus implying that all production, revenue, and administrative leaders must be equally and uniformly committed to your organization’s Code of Conduct. And while I am not implying that our Sales & Marketing employees are solely responsible for regulatory fines and sanctions, exposure to the marketplace does generate the overwhelming volume of regulatory action for any organization.
So, let me ask you a few questions…
· What product or service does your organization sell?
· What is the profit margin on each unit sold?
· How many units must you sell to recover the income consumed by a large regulatory fine, attendant civil litigation, and associated loss of revenue from brand reputation depreciation?
Apply that calculation to the recent J.P. Morgan Chase $13 billion U.S. Department of Justice settlement. Someone at that bank is going to have to sell a slew of mortgages and auto loans to recapture that lost revenue!
So, let me ask you a few more questions…
· What is the aggregate cost to invest in training each of your employees to comprehend and practice ethical and compliant behavior appropriate for their job classification at your organization?
· What is the aggregate cost to invest in implementing appropriate internal controls and continuous monitoring systems to prevent, detect, and mitigate compliance failures at your organization?
· Is the sum of those two investments less than the cost of a large regulatory fine, attendant civil litigation, and associated loss of revenue from brand reputation depreciation?
Notwithstanding the painful financial cost of fines and litigation, salespeople viscerally understand the burden of attempting to sell a product or service that has become a perceived societal pariah. [Think Arthur Andersen…Enron…the Ford Pinto.]
When we train our Sales & Marketing colleagues to understand pertinent consumer protection regulation and encourage those colleagues to leverage management, the Code of Conduct, and your Compliance team to detect, report, and mitigate compliance risks, everyone wins. Let’s face it…sales incentives and corporate bonuses are larger for everyone in the company when left undiminished by preventable costs of fines, litigation, and lost sales. And that, my friends, is why Sales & Marketing should care about regulatory compliance.
Friday, November 22, 2013
Tuesday, November 5, 2013
Regulatory Compliance: Tear Down That Ivory Tower!
I recently ran into a Compliance colleague, “Jill”, whom I hadn’t seen in a while. As we exchanged pleasantries, Jill explained how busy she has been at her organization, to a point where she “couldn’t even get out of her office for lunch most days.” I understood her sentiment, but I challenged Jill’s premise that her most effective oversight of her Compliance Management Program was being accomplished sitting at her desk with her nose to the proverbial grindstone.
“What do you mean?”, Jill inquired.
“For starters, how are you assessing the compliance culture within and across your organization?”, I responded. I waited for the predictable response.
“I receive reports from each department head on a quarterly basis. I meet with those same department heads at least annually as we update our risk assessment. “ And then she punctuated her response, “I always know what is going on from a Compliance perspective.”
We visited for a few more minutes before continuing on our respective journeys. I have the utmost respect for Jill, and the many colleagues with whom I’ve engaged in similar conversations over the years. But I was reminded again that day that differing viewpoints pervade our Compliance Management profession.
I liken the practice of our craft to that of a world traveler. In fact, given the international nature of Regulatory Compliance, many of us have become world travelers from time to time. But one cannot truly experience traveling the world by reading other people’s written accounts of foreign lands. Similarly, Compliance professionals cannot simply read stacks of reports, formally engage depart heads once or twice annually, and conclude that they have traveled the organizational “globe”.
We’ve got to come down out of our ivory towers. In fact, we’ve got to tear down our ivory towers in the Compliance Department and never return to our old ways. Instead, let’s engage leaders at all levels across our organizations as often as possible. Informal dialogue that may occur within the context of a scheduled project meeting, or a chance meeting in the hallway, can often generate useful information that lends itself well to a holistic risk assessment.
Leaders want to tell you what concerns they are facing, and when those concerns signal regulatory compliance exposure, you have an opportunity to collaborate further toward a resolution. Internal Audit provides another natural source of regulatory compliance risk data gleaned from its expansive reach throughout your organization. Regulatory Compliance also finds a natural ally in the Information Technology Department, where governance, risk management and compliance looms large over an ever-evolving landscape. Compliance professionals grow to become trusted confederates with leaders of lines of business, Internal Audit and Information Technology.
So join me! Grab your water bottle or coffee cup, and explore your organization more freely. Engage others daily and take a more genuine interest in the regulatory compliance challenges facing your fellow leaders. Collaborate with them to develop lasting compliance solutions. Your risk assessments and resultant regulatory compliance program will flourish, producing more meaningful results for the entire organization. You won’t want to return to the ivory tower.
“What do you mean?”, Jill inquired.
“For starters, how are you assessing the compliance culture within and across your organization?”, I responded. I waited for the predictable response.
“I receive reports from each department head on a quarterly basis. I meet with those same department heads at least annually as we update our risk assessment. “ And then she punctuated her response, “I always know what is going on from a Compliance perspective.”
We visited for a few more minutes before continuing on our respective journeys. I have the utmost respect for Jill, and the many colleagues with whom I’ve engaged in similar conversations over the years. But I was reminded again that day that differing viewpoints pervade our Compliance Management profession.
I liken the practice of our craft to that of a world traveler. In fact, given the international nature of Regulatory Compliance, many of us have become world travelers from time to time. But one cannot truly experience traveling the world by reading other people’s written accounts of foreign lands. Similarly, Compliance professionals cannot simply read stacks of reports, formally engage depart heads once or twice annually, and conclude that they have traveled the organizational “globe”.
We’ve got to come down out of our ivory towers. In fact, we’ve got to tear down our ivory towers in the Compliance Department and never return to our old ways. Instead, let’s engage leaders at all levels across our organizations as often as possible. Informal dialogue that may occur within the context of a scheduled project meeting, or a chance meeting in the hallway, can often generate useful information that lends itself well to a holistic risk assessment.
Leaders want to tell you what concerns they are facing, and when those concerns signal regulatory compliance exposure, you have an opportunity to collaborate further toward a resolution. Internal Audit provides another natural source of regulatory compliance risk data gleaned from its expansive reach throughout your organization. Regulatory Compliance also finds a natural ally in the Information Technology Department, where governance, risk management and compliance looms large over an ever-evolving landscape. Compliance professionals grow to become trusted confederates with leaders of lines of business, Internal Audit and Information Technology.
So join me! Grab your water bottle or coffee cup, and explore your organization more freely. Engage others daily and take a more genuine interest in the regulatory compliance challenges facing your fellow leaders. Collaborate with them to develop lasting compliance solutions. Your risk assessments and resultant regulatory compliance program will flourish, producing more meaningful results for the entire organization. You won’t want to return to the ivory tower.
Thursday, October 17, 2013
Don’t make the wrong call!
Ensuring compliance with the Telemarketing Sales Rule (TSR) and Telephone Consumers Protection Act (TCPA)
* The FTC has long blazed a trail of consumer protection aimed at unscrupulous telemarketers.
* The FCC has strengthened its arsenal of weapons aimed at robocallers.
* Failure to incorporate the 2013 requirements can cost your company millions of dollars.
* Compliance Departments must engage all stakeholders in the organization.
* Building a compliant outbound calling & texting program will protect profits and the brand.
No longer can any sales and service organization naively believe that it will escape the notice of United States federal consumer protection regulators. If your organization uses a telephone to reach consumers, then the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are two such agencies for which regulatory compliance professionals must maintain a watchful eye.
In conjunction with the robust outbound communication activities that our sales and service operations undertake, careless violations of FTC and FCC consumer communications laws garner sizeable financial penalties. To understand the impact of the October 2013 FCC amendments, it is helpful to review the FTC’s Telemarketing Sales Rule requirements.
FTC Telemarketing Sales Rule 2008 Amendments
The FTC administers the Telemarketing Sales Rule (TSR). Amended in 2008, the TSR governs outbound telephone calls initiated by a telemarketer, including those involving dialing technology (“autodialers”) and pre-recorded messages. As defined by the FTC:
• “Outbound telephone call” to mean a telephone call initiated by a telemarketer to induce the purchase of goods or services or to solicit a charitable contribution;
• “Telemarketer” means any person who, in connection with telemarketing, initiates or receives telephone calls to or from a customer or donor; and
• “Telemarketing” means a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call.1
Some prerecorded messages still are permitted under these rules — for example, messages that are purely informational. That means a consumer may still receive calls to let him/her know a flight’s been cancelled, reminders about an appointment or messages about a delayed school opening. But the business doing the calling still isn’t allowed to promote the sale of any goods or services. Political calls, calls from certain healthcare providers and messages from a business contacting a consumer to collect a debt also are permitted. Prerecorded messages from banks, telephone carriers and charities also are exempt from these rules if the banks, carriers or charities make the calls themselves.2
While notifying consumers of a store address change is considered informational (thus not telemarketing), inviting them to a grand opening celebration at the new address could be considered part of a “plan, program or campaign” to induce the purchase of goods or services. That is, merely mentioning the grand opening could be the “hook” for a court or regulator to determine that the entire script is “telemarketing.”
The amended TSR expressly bars telemarketing calls that deliver prerecorded messages, unless a consumer previously has agreed to accept such calls from the seller.3 As a result, most businesses became required to obtain the consumer’s written permission before they could call a consumer with prerecorded telemarketing messages, or “robocalls”. In fact, a business has to make it clear it’s asking to call a consumer with these kinds of messages, and it can’t require a consumer to agree to the calls in order to get any goods or services. If the consumer initially agrees to receive robocalls, the consumer also retains the right to change his/her mind and rescind his/her opt-in.
The FTC takes enforcement of the TSR very seriously when it comes to robocall violators. A May 2013 FTC action resulted in a Department of Justice settlement4 resulting from an FTC-led complaint.5 Specifically, citing 16 C.F.R. § 310.4(b)(l )(v)(A), the Defendant company was permanently restrained and enjoined from engaging in, causing others to engage in, or assisting other persons to engage in:
A. Initiating any outbound telephone call that delivers a prerecorded message to induce the purchase of any good or service unless, prior to making any such call, the seller has obtained from the recipient of the call an express agreement, in writing, that:
1. the seller obtained only after a clear and conspicuous disclosure that the purpose of the agreement is to authorize the seller to place prerecorded calls to such person;
2. the seller obtained without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service;
3. evidences the willingness of the recipient of the call to receive calls that deliver prerecorded messages by or on behalf of a specific seller; and
4. includes such person’s telephone number and signature.
The Defendant was ordered to undergo federal compliance monitoring, extensive recordkeeping and detailed reporting for 10 years. Additionally, the settlement included judgment in the amount of $75,000 entered in favor of the FTC against Defendant as a civil penalty. The Defendant’s judgment was far more lenient that the $16,000 per call that the FTC is authorized to assess under the TSR.
FCC Telephone Consumer Protection Act 2012 Amendments
The FCC administers the Telephone Consumer Protection Act (TCPA). In alignment with the FTC position, revised FCC TCPA rules took effect on October 16, 2013 and require “prior express written consent” for pre-recorded telemarketing calls using autodialer technology made to both cell phones and land line phones. This rule change expressly amends the previous FCC rule which (1) had not required written consent; and (2) had allowed prerecorded telemarketing calls to land line phones where a business relationship existed.
The FCC has taken a very broad view of the use of autodialer technology. Although the rules provide a very specific definition of autodialer, regulators and the courts have interpreted the definition so broadly that any computerized dialing device could be viewed as an autodialer. It is advisable not to make non-consented calls to cellphones, unless your organization has an entirely manual process for initiating the call.
Misuse or misunderstanding the use of autodialer technology in the absence of receiving prior express written consent has expensive consequences. The TCPA has a private right of action and recent class action lawsuits have settled for tens of millions of dollars.6
Costly non-compliance
Non-compliance with the TSR and the TCPA exposes your organization to civil liability and regulatory sanctions and fines. At up to $1,500 per violation, non-compliance with the TCPA text message requirements alone could expose your organization to a sizeable civil judgment. A company that sends a mere 7,000 non-consented text messages could statutorily incur a fine in excess of ten million dollars.
This TCPA text message revision is anticipated to also invite predatory class action litigation as enterprising plaintiff attorneys seek to capitalize on the technical change to the law. Regulatory penalties and class action lawsuits give rise to negative publicity that have the potential to damage your organization’s profitability and its brand.
Build compliance into your outbound calling and texting programs
To address this potential reputational, regulatory, and legal risk exposure, compliance professionals should partner with the stakeholders in the organization who have a vested interest in outbound calling and texting programs. These stakeholder functions will likely include Sales, Marketing, E-Commerce, Call Centers, and Information Technology (yes, IT! They own the autodialer and messaging hardware and software your organization relies upon). And don’t forget those third-party service providers that may actually be managing your call lists, opt-ins, and outbound calling and texting programs.
Once you have marshaled your stakeholders, you will want to undertake:
(1) a review of existing outbound calling and texting programs, approval processes, and vendor contracts; and
(2) provide detailed guidance to management regarding required current changes and safeguards for current and future programs.
You will specifically want to address pre-recorded messages sent to both land line and cellular phones, as well as text messages sent to cellular phones.
Compliant pre-recorded messages
Your organization may call consumers who have provided written permission after being fully informed that they have expressly assented to receive prerecorded calls regarding your products and services. If your organization has not obtained such “prior express written consent” since October 16, 2013, you will want to solicit a revised affirmative written opt-in. Guidance interpreting the amended TCPA treatment of prerecorded calls suggests that a consumer must have the option to affirmatively check an unchecked box beside verbiage that explicitly and plainly explains that the consumer is opting into receiving prerecorded calls to his/her cell phone and/or land line phone.
A prerecorded message system must also adhere to the following opt-out language and activation safeguards:
• Businesses using robocalls are required by law to tell a consumer at the beginning of the message how to stop future calls, and must provide an automated opt-out the consumer can activate by voice or key press throughout the call.
• If the message could be left on voicemail or an answering machine, businesses also have to provide a toll-free number at the beginning of the message that will connect to an automated opt-out system the consumer can use any time.
Compliant text/SMS messages
Changes to existing text message marketing opt-in processes may be required at your organization to conform to the new “prior express written consent” standard. Recognizing that text messages are limited in character length, these changes should be customized for your purposes, but may resemble:
• New text/SMS enrollee receives: “Reply ‘AGREE’ to receive wkly XYZ Discount Alerts. Periodic msgs may be sent using autodialer. Consent not required for purchase. Msg&Data rates may apply” (to fulfill the FCC requirement of obtaining express written consent after the initial request is received AND that his/her consent is not required in conjunction with any other purchase)
• Once the consumer replies with ‘AGREE’, enrollee receives: “Thanks for confirming! You will receive weekly XYZ Discount Alerts! Stop reply ‘STOP XYZ’. Msg&Data rates may apply.” (to fulfill the FCC requirement of explicitly informing the requestor how he/she may rescind the opt-in)
Obtain new consent from current text/SMS subscribers
Your organization may currently have thousands (or hundreds of thousands) of subscribers. When the new rules took effect on October 16, 2013, all consent obtained under the old “prior express consent” standard were invalidated. When the FCC issued its revised rules in February 2012, the agency conveyed that once the new written consent rules became effective, companies would be required to obtain the revised “prior express written consent” before sending additional marketing messages. An established business relationship will also no longer relieve advertisers of prior written consent requirement after the effective date. You may thus seek to ensure that all current subscribers also receive the message inviting them to reply ‘AGREE’.
New text/SMS message marketing programs
These same FCC principles would apply to new text marketing programs that your organization may launch in the future. The FCC interprets “marketing” very broadly in its own favor, so you will want to ensure that your Compliance Department is involved at inception to review new text messaging programs.
Conclusion
As compliance professionals, we must daily balance our organization’s customer-focused mission with the consumer protection regulatory requirements. By taking swift action with your stakeholders now regarding the TSR and TCPA, you can reduce the risk that your organization will make the wrong call.
Notes
1 The Telemarketing Sales Rule, September 2009, http://www.consumer.ftc.gov/articles/0198-telemarketing-sales-rule.
2 Ibid.
3 FTC Issues Final Telemarketing Sales Rule Amendments Regarding Prerecorded Calls, August 19, 2008, http://www.ftc.gov/opa/2008/08/tsr.shtm.
4 United States of America v. Skyy Consulting, Inc., also d/b/a CallFire, a California corporation, United States District Court, Northern District of California, San Francisco Division, Case4:13-cv-02136-DMR, Document 3, Filed 05/13/13, http://www.ftc.gov/os/caselist/1223011/130514callfirestip.pdf.
5 United States of America v. Skyy Consulting, Inc., also d/b/a CallFire, a California corporation, United States District Court, Northern District of California, San Francisco Division, Case4:13-cv-02136-DMR, Complaint, Filed 05/09/13, http://www.ftc.gov/os/caselist/1223011/130514callfirecmpt.pdf.
6 Pari Najafi v. SLM Corporation, et al., United States District Court for the Southern District of California, Case No. 10-cv-0530 MMAAmended Settlement Agreement, October 7, 2011, http://www.manatt.com/uploadedFiles/Content/4_News_and_Events/Newsletters/AdvertisingLaw@manatt/Sallie%20Mae%20amended%20settlement%20agreement.pdf.
* The FTC has long blazed a trail of consumer protection aimed at unscrupulous telemarketers.
* The FCC has strengthened its arsenal of weapons aimed at robocallers.
* Failure to incorporate the 2013 requirements can cost your company millions of dollars.
* Compliance Departments must engage all stakeholders in the organization.
* Building a compliant outbound calling & texting program will protect profits and the brand.
No longer can any sales and service organization naively believe that it will escape the notice of United States federal consumer protection regulators. If your organization uses a telephone to reach consumers, then the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are two such agencies for which regulatory compliance professionals must maintain a watchful eye.
In conjunction with the robust outbound communication activities that our sales and service operations undertake, careless violations of FTC and FCC consumer communications laws garner sizeable financial penalties. To understand the impact of the October 2013 FCC amendments, it is helpful to review the FTC’s Telemarketing Sales Rule requirements.
FTC Telemarketing Sales Rule 2008 Amendments
The FTC administers the Telemarketing Sales Rule (TSR). Amended in 2008, the TSR governs outbound telephone calls initiated by a telemarketer, including those involving dialing technology (“autodialers”) and pre-recorded messages. As defined by the FTC:
• “Outbound telephone call” to mean a telephone call initiated by a telemarketer to induce the purchase of goods or services or to solicit a charitable contribution;
• “Telemarketer” means any person who, in connection with telemarketing, initiates or receives telephone calls to or from a customer or donor; and
• “Telemarketing” means a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call.1
Some prerecorded messages still are permitted under these rules — for example, messages that are purely informational. That means a consumer may still receive calls to let him/her know a flight’s been cancelled, reminders about an appointment or messages about a delayed school opening. But the business doing the calling still isn’t allowed to promote the sale of any goods or services. Political calls, calls from certain healthcare providers and messages from a business contacting a consumer to collect a debt also are permitted. Prerecorded messages from banks, telephone carriers and charities also are exempt from these rules if the banks, carriers or charities make the calls themselves.2
While notifying consumers of a store address change is considered informational (thus not telemarketing), inviting them to a grand opening celebration at the new address could be considered part of a “plan, program or campaign” to induce the purchase of goods or services. That is, merely mentioning the grand opening could be the “hook” for a court or regulator to determine that the entire script is “telemarketing.”
The amended TSR expressly bars telemarketing calls that deliver prerecorded messages, unless a consumer previously has agreed to accept such calls from the seller.3 As a result, most businesses became required to obtain the consumer’s written permission before they could call a consumer with prerecorded telemarketing messages, or “robocalls”. In fact, a business has to make it clear it’s asking to call a consumer with these kinds of messages, and it can’t require a consumer to agree to the calls in order to get any goods or services. If the consumer initially agrees to receive robocalls, the consumer also retains the right to change his/her mind and rescind his/her opt-in.
The FTC takes enforcement of the TSR very seriously when it comes to robocall violators. A May 2013 FTC action resulted in a Department of Justice settlement4 resulting from an FTC-led complaint.5 Specifically, citing 16 C.F.R. § 310.4(b)(l )(v)(A), the Defendant company was permanently restrained and enjoined from engaging in, causing others to engage in, or assisting other persons to engage in:
A. Initiating any outbound telephone call that delivers a prerecorded message to induce the purchase of any good or service unless, prior to making any such call, the seller has obtained from the recipient of the call an express agreement, in writing, that:
1. the seller obtained only after a clear and conspicuous disclosure that the purpose of the agreement is to authorize the seller to place prerecorded calls to such person;
2. the seller obtained without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service;
3. evidences the willingness of the recipient of the call to receive calls that deliver prerecorded messages by or on behalf of a specific seller; and
4. includes such person’s telephone number and signature.
The Defendant was ordered to undergo federal compliance monitoring, extensive recordkeeping and detailed reporting for 10 years. Additionally, the settlement included judgment in the amount of $75,000 entered in favor of the FTC against Defendant as a civil penalty. The Defendant’s judgment was far more lenient that the $16,000 per call that the FTC is authorized to assess under the TSR.
FCC Telephone Consumer Protection Act 2012 Amendments
The FCC administers the Telephone Consumer Protection Act (TCPA). In alignment with the FTC position, revised FCC TCPA rules took effect on October 16, 2013 and require “prior express written consent” for pre-recorded telemarketing calls using autodialer technology made to both cell phones and land line phones. This rule change expressly amends the previous FCC rule which (1) had not required written consent; and (2) had allowed prerecorded telemarketing calls to land line phones where a business relationship existed.
The FCC has taken a very broad view of the use of autodialer technology. Although the rules provide a very specific definition of autodialer, regulators and the courts have interpreted the definition so broadly that any computerized dialing device could be viewed as an autodialer. It is advisable not to make non-consented calls to cellphones, unless your organization has an entirely manual process for initiating the call.
Misuse or misunderstanding the use of autodialer technology in the absence of receiving prior express written consent has expensive consequences. The TCPA has a private right of action and recent class action lawsuits have settled for tens of millions of dollars.6
Costly non-compliance
Non-compliance with the TSR and the TCPA exposes your organization to civil liability and regulatory sanctions and fines. At up to $1,500 per violation, non-compliance with the TCPA text message requirements alone could expose your organization to a sizeable civil judgment. A company that sends a mere 7,000 non-consented text messages could statutorily incur a fine in excess of ten million dollars.
This TCPA text message revision is anticipated to also invite predatory class action litigation as enterprising plaintiff attorneys seek to capitalize on the technical change to the law. Regulatory penalties and class action lawsuits give rise to negative publicity that have the potential to damage your organization’s profitability and its brand.
Build compliance into your outbound calling and texting programs
To address this potential reputational, regulatory, and legal risk exposure, compliance professionals should partner with the stakeholders in the organization who have a vested interest in outbound calling and texting programs. These stakeholder functions will likely include Sales, Marketing, E-Commerce, Call Centers, and Information Technology (yes, IT! They own the autodialer and messaging hardware and software your organization relies upon). And don’t forget those third-party service providers that may actually be managing your call lists, opt-ins, and outbound calling and texting programs.
Once you have marshaled your stakeholders, you will want to undertake:
(1) a review of existing outbound calling and texting programs, approval processes, and vendor contracts; and
(2) provide detailed guidance to management regarding required current changes and safeguards for current and future programs.
You will specifically want to address pre-recorded messages sent to both land line and cellular phones, as well as text messages sent to cellular phones.
Compliant pre-recorded messages
Your organization may call consumers who have provided written permission after being fully informed that they have expressly assented to receive prerecorded calls regarding your products and services. If your organization has not obtained such “prior express written consent” since October 16, 2013, you will want to solicit a revised affirmative written opt-in. Guidance interpreting the amended TCPA treatment of prerecorded calls suggests that a consumer must have the option to affirmatively check an unchecked box beside verbiage that explicitly and plainly explains that the consumer is opting into receiving prerecorded calls to his/her cell phone and/or land line phone.
A prerecorded message system must also adhere to the following opt-out language and activation safeguards:
• Businesses using robocalls are required by law to tell a consumer at the beginning of the message how to stop future calls, and must provide an automated opt-out the consumer can activate by voice or key press throughout the call.
• If the message could be left on voicemail or an answering machine, businesses also have to provide a toll-free number at the beginning of the message that will connect to an automated opt-out system the consumer can use any time.
Compliant text/SMS messages
Changes to existing text message marketing opt-in processes may be required at your organization to conform to the new “prior express written consent” standard. Recognizing that text messages are limited in character length, these changes should be customized for your purposes, but may resemble:
• New text/SMS enrollee receives: “Reply ‘AGREE’ to receive wkly XYZ Discount Alerts. Periodic msgs may be sent using autodialer. Consent not required for purchase. Msg&Data rates may apply” (to fulfill the FCC requirement of obtaining express written consent after the initial request is received AND that his/her consent is not required in conjunction with any other purchase)
• Once the consumer replies with ‘AGREE’, enrollee receives: “Thanks for confirming! You will receive weekly XYZ Discount Alerts! Stop reply ‘STOP XYZ’. Msg&Data rates may apply.” (to fulfill the FCC requirement of explicitly informing the requestor how he/she may rescind the opt-in)
Obtain new consent from current text/SMS subscribers
Your organization may currently have thousands (or hundreds of thousands) of subscribers. When the new rules took effect on October 16, 2013, all consent obtained under the old “prior express consent” standard were invalidated. When the FCC issued its revised rules in February 2012, the agency conveyed that once the new written consent rules became effective, companies would be required to obtain the revised “prior express written consent” before sending additional marketing messages. An established business relationship will also no longer relieve advertisers of prior written consent requirement after the effective date. You may thus seek to ensure that all current subscribers also receive the message inviting them to reply ‘AGREE’.
New text/SMS message marketing programs
These same FCC principles would apply to new text marketing programs that your organization may launch in the future. The FCC interprets “marketing” very broadly in its own favor, so you will want to ensure that your Compliance Department is involved at inception to review new text messaging programs.
Conclusion
As compliance professionals, we must daily balance our organization’s customer-focused mission with the consumer protection regulatory requirements. By taking swift action with your stakeholders now regarding the TSR and TCPA, you can reduce the risk that your organization will make the wrong call.
Notes
1 The Telemarketing Sales Rule, September 2009, http://www.consumer.ftc.gov/articles/0198-telemarketing-sales-rule.
2 Ibid.
3 FTC Issues Final Telemarketing Sales Rule Amendments Regarding Prerecorded Calls, August 19, 2008, http://www.ftc.gov/opa/2008/08/tsr.shtm.
4 United States of America v. Skyy Consulting, Inc., also d/b/a CallFire, a California corporation, United States District Court, Northern District of California, San Francisco Division, Case4:13-cv-02136-DMR, Document 3, Filed 05/13/13, http://www.ftc.gov/os/caselist/1223011/130514callfirestip.pdf.
5 United States of America v. Skyy Consulting, Inc., also d/b/a CallFire, a California corporation, United States District Court, Northern District of California, San Francisco Division, Case4:13-cv-02136-DMR, Complaint, Filed 05/09/13, http://www.ftc.gov/os/caselist/1223011/130514callfirecmpt.pdf.
6 Pari Najafi v. SLM Corporation, et al., United States District Court for the Southern District of California, Case No. 10-cv-0530 MMAAmended Settlement Agreement, October 7, 2011, http://www.manatt.com/uploadedFiles/Content/4_News_and_Events/Newsletters/AdvertisingLaw@manatt/Sallie%20Mae%20amended%20settlement%20agreement.pdf.
Friday, October 11, 2013
WHEN ETHICS AND EXPEDIENCY COLLIDE
“It is the mark of an educated mind to be able to entertain a thought without accepting it.” ~Aristotle
“There are no easy answers' but there are simple answers. We must have the courage to do what we know is morally right.” ~Ronald Reagan
As Compliance and Ethics Professionals, we are daily reminded that violations of law and dignity are no less common now than they were in ancient civilizations. We report upon and read about corporate, government, and personal scandals that boggle the mind. Acts and omissions that defy common sense are nonetheless undertaken out of expediency, greed and ignorance, only to eventually expose the perpetrators in the public square.
Why?
Why--with all the failed historical examples, complex laws, regulatory bodies, education and training—do some organizations continue to succumb to poor judgment and wrongdoing, while other organizations rise above?
While we speak often about the ‘tone at the top’, we must also acknowledge that ideas and actions emanate at all levels of our organizations. Driven by deadlines, profits, corporate goals, marketplace competition, etc., individuals contemplate ideas and execute upon those ideas. But not all ideas for generating revenue, decreasing expenses, or streamlining processes merit the same consideration.
An organization’s culture, modeled by its leaders at all levels, must unambiguously communicate that execution must meet its values. A healthy exchange of ideas should always be weighed sufficiently and transparently by knowledgeable stakeholders, so as to expose potential ethical, legal and financial pitfalls. Though we are charged with educating our operational and administrative colleagues about our Code of Conduct and our Legal and Regulatory obligations, we have the additional obligation to actively counsel them as well.
Leveraging our Anonymous Reporting Hotlines, Internal Audit Departments, and industry and regulatory trends, we ourselves must be prepared to actively engage our colleagues across our organizations to probe for prospective lapses. In a highly-charged competitive environment, we cannot idly sit by and fail to question if expediency is trumping ethical decision-making. Let’s not forget that we are the protagonists—not the villains—in this story.
“There are no easy answers' but there are simple answers. We must have the courage to do what we know is morally right.” ~Ronald Reagan
As Compliance and Ethics Professionals, we are daily reminded that violations of law and dignity are no less common now than they were in ancient civilizations. We report upon and read about corporate, government, and personal scandals that boggle the mind. Acts and omissions that defy common sense are nonetheless undertaken out of expediency, greed and ignorance, only to eventually expose the perpetrators in the public square.
Why?
Why--with all the failed historical examples, complex laws, regulatory bodies, education and training—do some organizations continue to succumb to poor judgment and wrongdoing, while other organizations rise above?
While we speak often about the ‘tone at the top’, we must also acknowledge that ideas and actions emanate at all levels of our organizations. Driven by deadlines, profits, corporate goals, marketplace competition, etc., individuals contemplate ideas and execute upon those ideas. But not all ideas for generating revenue, decreasing expenses, or streamlining processes merit the same consideration.
An organization’s culture, modeled by its leaders at all levels, must unambiguously communicate that execution must meet its values. A healthy exchange of ideas should always be weighed sufficiently and transparently by knowledgeable stakeholders, so as to expose potential ethical, legal and financial pitfalls. Though we are charged with educating our operational and administrative colleagues about our Code of Conduct and our Legal and Regulatory obligations, we have the additional obligation to actively counsel them as well.
Leveraging our Anonymous Reporting Hotlines, Internal Audit Departments, and industry and regulatory trends, we ourselves must be prepared to actively engage our colleagues across our organizations to probe for prospective lapses. In a highly-charged competitive environment, we cannot idly sit by and fail to question if expediency is trumping ethical decision-making. Let’s not forget that we are the protagonists—not the villains—in this story.
Wednesday, August 21, 2013
YOUR DREAM TEAM: Where Everyone is a Compliance Leader
"In looking for people to hire, you look for three qualities: integrity, intelligence, and energy. And if they don't have the first, the other two will kill you." ~ Warren Buffet
“The supreme quality for leadership is unquestionably integrity. Without it, no real success is possible, no matter whether it is on a section gang, a football field, in an army, or in an office.” ~Dwight D. Eisenhower
Who leads legal and regulatory compliance at your organization?
How many of your employees are in a compliance role?
Before you respond, consider this…every employee in my organization is in a compliance role...and is charged with being a compliance leader. We only hire compliance leaders to fill each open position throughout the organization. Sales. Operations. Human Resources. Accounting. Facilities Maintenance.
You may be wondering why an organization would engage in such a hair-brained staffing strategy. (You may also be wondering how much longer such an organization could remain in business.) But hearkening back to the words of Warren Buffet and President Eisenhower above, how else could you possibly select talent?
In today’s increasingly complex international regulatory topography, no function within your organization escapes the need to develop policies, processes and training that will address compliance requirements at all employee levels. A CEO cannot simply rely upon on an Internal Audit function, a Legal Department, or a Regulatory Compliance team to identify and mitigate all enterprise-wide risks.
Further, day-to-day compliance and risk management responsibility cannot fall solely upon the shoulders of department heads or supervisors. As leaders, each of you knows that there are far more events occurring for which you are unaware than those that do rise to your attention. Each of our employees—from the most senior to the newly-hired—must understand his/her vital role in preventing, identifying, reporting, and resolving the compliance issues that affect his/her respective role and department.
We must hire individuals that bring the added skill of compliance awareness. I want:
• a talented facilities maintenance employee who also appreciates the impact the EPA and OSHA have at our organization;
• a certified public accountant who also appreciates the impact that the SEC and PCAOB can have;
• a customer-focused call center agent who also appreciates the impact that the FTC and FCC can have; and so forth.
Myself, I’d rather have thousands of sets of eyes mitigating risk globally than to rely only upon my own comparatively limited viewpoint. So, let me ask those questions a different way now…
Who doesn’t lead legal and regulatory compliance at your organization, and why not?
How many of your employees aren’t in a compliance role, and why not?
“The supreme quality for leadership is unquestionably integrity. Without it, no real success is possible, no matter whether it is on a section gang, a football field, in an army, or in an office.” ~Dwight D. Eisenhower
Who leads legal and regulatory compliance at your organization?
How many of your employees are in a compliance role?
Before you respond, consider this…every employee in my organization is in a compliance role...and is charged with being a compliance leader. We only hire compliance leaders to fill each open position throughout the organization. Sales. Operations. Human Resources. Accounting. Facilities Maintenance.
You may be wondering why an organization would engage in such a hair-brained staffing strategy. (You may also be wondering how much longer such an organization could remain in business.) But hearkening back to the words of Warren Buffet and President Eisenhower above, how else could you possibly select talent?
In today’s increasingly complex international regulatory topography, no function within your organization escapes the need to develop policies, processes and training that will address compliance requirements at all employee levels. A CEO cannot simply rely upon on an Internal Audit function, a Legal Department, or a Regulatory Compliance team to identify and mitigate all enterprise-wide risks.
Further, day-to-day compliance and risk management responsibility cannot fall solely upon the shoulders of department heads or supervisors. As leaders, each of you knows that there are far more events occurring for which you are unaware than those that do rise to your attention. Each of our employees—from the most senior to the newly-hired—must understand his/her vital role in preventing, identifying, reporting, and resolving the compliance issues that affect his/her respective role and department.
We must hire individuals that bring the added skill of compliance awareness. I want:
• a talented facilities maintenance employee who also appreciates the impact the EPA and OSHA have at our organization;
• a certified public accountant who also appreciates the impact that the SEC and PCAOB can have;
• a customer-focused call center agent who also appreciates the impact that the FTC and FCC can have; and so forth.
Myself, I’d rather have thousands of sets of eyes mitigating risk globally than to rely only upon my own comparatively limited viewpoint. So, let me ask those questions a different way now…
Who doesn’t lead legal and regulatory compliance at your organization, and why not?
How many of your employees aren’t in a compliance role, and why not?
Tuesday, July 30, 2013
BUILDING EFFECTIVE COMPLIANCE PROGRAMS: It Takes a Village
“No member of a crew is praised for the rugged individuality of his rowing” ~Ralph Waldo Emerson
“If everyone is moving forward together, then success takes care of itself” ~Henry Ford
I had recently been contacted by an individual who had been tapped by her organization to launch a corporate compliance program. My colleague approached me with that perennial question, “How did you build your program?...” I paused to consider my response.
Despite the mythology to which some may wish to subscribe, individuals don’t design, build or improve corporate compliance programs alone. While certainly individuals contribute significant leadership, ideas, and work product to a successful compliance program, it is truly the efforts of interconnected contributors that weaves the fabric of the program.
From scoping and documenting the program charter through defining and populating a comprehensive compliance risk universe, it takes a village of invested professionals to build the program. Since a compliance program likely encompasses several lines of business and diverse operating functions spread across multiple locations, personal interaction with a variety of leaders and staff is necessary to identify, quantify, and rank risks across an organization. I don’t know about you, but I certainly have experiential limitations regarding various functions outside my areas of expertise. Without those subject matter experts, my program would be neither comprehensive nor effective.
Thus, while it would have been terribly tempting to my ego to lead my fellow professional colorfully through an anecdotal reprisal of my rugged journey to locate the holy grail of corporate compliance on a lonely mountaintop, my better angels prevailed. “Katherine, I’d be pleased to share with you how we built our program, and the lessons we’ve learned…” And with that discussion, another member was added to the compliance program “village.”
Wednesday, July 3, 2013
EXPOSING MY DIRTY LAUNDRY: Responding to Ethical Incidents in Advance
“Ethics is knowing the difference between what you have a right to do and what is right to do.”
~Potter Stewart, former U.S. Supreme Court Justice
“The time is always right to do what is right.”
~Martin Luther King, Jr., U.S. civil rights leader
Today’s revelation that former Olympus Corporation Chairman Tsuyoshi Kikukawa had received a suspended sentence for his role in a $1.7 billion accounting fraud is a reminder that neither business ethics courses nor prior real-world examples have stemmed the tide of high-profile executive wrongdoing. In addition to former Olympus Executive Vice President Hisashi Mori, Hideo Yamada, the former auditing officer, also received a suspended sentence, debunking any myths that corporate audit and compliance professionals are above temptation.
Sufficient ink has been dedicated to detailing the corporate, government, and NGO ethical downfalls throughout the modern age. Fraud observes no geographical, political or industry boundaries. Ethical lapses remain pervasive and persistent, but I believe they are preventable.
What are you doing within your organization currently to acknowledge and mitigate the risks posed by executive ethical lapses?
Tone at the top is more than an email, a poster, or even a video distributed by your chief executive officer expounding the importance and benefits of maintaining an ethical cultural. Real ethical leadership takes root within an organization when the board of directors and senior leadership infuse the culture with relevant actions.
· Strategic planning conferences and periodic governance meetings should include ethics discussions on the agenda.
· Tabletop exercises should be built around current ethical lapse events in your industry.
· Internal metrics should be tracked and benchmarked against other like organizations.
· Employees at all levels must be encouraged to ask questions and report observed ethical lapses in good faith without fear of retaliation.
What are you doing when a significant ethical lapse strikes from within your own organization?
At one time or another nearly every organization, be it for-profit, government agency, faith-based, etc., will need to address an ethical incident that emanates from within its own walls. More than just the fear of negative publicity or criminal prosecution should drive the organization’s response. Many a relatively minor ethical incident has morphed into fodder for bloggers and 24/7 cable news outlets simply due to senior level fumbling and obfuscation amidst embarrassing revelations.
In fact, the best time to publicly address ethical lapses within your organization is before one has emerged.
· Plan, document and test your organization’s Ethical Incident Response Plan (E-IRP).
· Educate senior leadership regarding effective and transparent communication strategy, obtaining communication training in advance where needs dictate.
· Communicate in a coordinated, transparent and timely manner both internally and externally to your organization, erring on the side of humility and candor.
Organizations are governed and led by human beings. Men and women, regardless of demographic variables across cultures, shun the humiliation and ridicule that scandal generates. Applying an objective E-IRP model in advance of ethical lapses will mitigate the risk that my dirty laundry—or yours—will hang too long on the proverbial corporate clothesline.
Tuesday, June 18, 2013
Why I Love Regulatory Examinations
“The superior man understands what is right; the inferior man understands what will sell.”
~Confucius
“Happiness does not come from doing easy work but from the afterglow of satisfaction that comes after the achievement of a difficult task that demanded our best.”
~Theodore Isaac Rubin
To this day, I enjoy going to the dentist. Almost nothing feels as good as that squeaky-clean sensation after the hygienist completes a thorough cleaning. When I was a child and others feared that periodic visit to the reclining chair, I looked forward to the cleaning, fluoride, and constructive criticism about my brush I received as I sat there. While not cavity-free, I have experienced far fewer than I otherwise would have.
Similarly, I’ve never experienced an unfavorable regulatory examination, though my experiences haven’t been “cavity-free.” Jokes comparing audits to root canal aside, I believe the same lessons learned in the dentist’s chair apply equally well amidst the increasingly complex regulatory landscape we face in our organizations. We each lead our organizations with our mission top of mind, but those of us who achieve the greatest success know that we must continuously improve our products/services, our processes, and our people. That is where our regulatory examinations and internal audits come into play.
But some of us have also led in organizations where government regulators were regarded by some of our colleagues as the barbarians at the gate. Those doomsayers would have us believe that examiners and auditors are the malicious brainchild of fiendish state and federal bureaucrats committed to descending our state or nation into communism.
I’m not a fan of senseless or redundant government regulation by any means, but even Ronald Reagan retained most aspects of the federal regulatory infrastructure throughout his tenure. Judicious regulation has its rightful place in the untamed marketplace, and thus serves to balance the interests of fair-minded consumers and businesses against the carelessness of the few.
A fair-minded organization operates with a high-degree of transparency and employs efficient controls and feedback mechanisms to drive improvement. While operational metrics, financial reporting, and focus groups can provide much important data, the superior organization incorporates the findings and observations of its internal auditors, external information security auditors, and state & federal government regulators into its continuous improvement mechanisms.
I have had the pleasure to speak with countless committed regulatory professionals throughout my career. Well-educated, knowledgeable about their industries, insatiably curious—these men and women have provided me and my colleagues with great insight not only into our own organizations, but have also previewed industry trends before they became regulatory mandates.
Because we were willing to listen, anticipate and prepare, we were able to adapt practices, install or modify systems, and educate our employees and customers in a manner that displayed our genuine integrity as an organization. While I’ve led at organizations that have garnered awards and praise, I am pleased not to have worked at organizations that have headlined the scandal pages.
The truth is…regulatory professionals care deeply about their respective agencies’ missions. As within our own organizations, they are also subject to the ambiguity and uncertainty that new laws, regulations, and political battles entail. Without speaking ill of a rule, regulation or politician, a forthright regulatory professional will admit when the landscape is rocky, shifting or unstable. A wise leader walks that rocky road with the regulator, listening closely, communicating openly, and seeking clarity where clarity may be had. And even when we must agree to disagree on a matter, the relationship remains strong well into the future.
A forward-leaning organization positioned to succeed well into the future expands itself atop a firm foundation build solidly into the regulatory landscape. When regulatory examinations and internal audits inevitably occur, the transparent integrity and compliant processes we employ will carry the day. Importantly, our ability to humbly accept and evaluate the findings, recommendations and observations that are shared with us (formally or informally) may well drive adaptions or improvements that our stubborn competitors will be unwilling to receive. Hubris begets truth decay.
Tuesday, April 23, 2013
COMPLIANCE & ETHICS: STAND YOUR GROUND OR STAND DOWN?
“When restraint and courtesy are added to strength, the latter becomes irresistible.” --Mahatma Gandhi
Building upon the topic of my last article, I want to explore how you respond when called upon for your compliance or ethics perspective.
On the one hand, as the cliché goes, to him whose only tool is a hammer, every issue is a nail. At some phase of our own careers we may have found ourselves expounding first and asking critical questions later. At the very least we have encountered compliance professionals who may have operated from this viewpoint. As I recall one individual saying to me years ago, “If he didn’t want my honest opinion, then he shouldn’t have come to me for compliance advice!” At this end of the spectrum, every situation that arises, every request that is received, is met with an oft-detailed compliance laundry list that can bog down many a promising business initiative.
At the other end of the spectrum is the laissez-faire attitude toward compliance and ethics. In such an environment the duty of care is subjugated to the operational imperatives of running the business. Time is money. Rules were made to be broken. What they don’t know won’t hurt them. And so forth. Where compliance has become a reactionary repair mechanism and ethics don’t weigh into substantive decision-making, an organization will eventually find itself on a collision course with the U.S. Federal Sentencing Guidelines and other civil and criminal laws. The wise compliance and ethics professional attempts to improve this culture, but if unsuccessful may best be advised to exit amidst a noisy withdrawal.
Between the Compliance Overlord and the Compliance Pushover models described above do we find the middle ground upon which the majority of us practice our profession. As we often must confess, the black-and-white scenarios aren’t the ones we’re generally called in to decide. Management can make those clear-cut calls on their own with ease.
When management encounters the Overlord too frequently, then management will avoid consulting compliance and ethics professionals. A resulting pattern of inconsistent and self-serving decision-making increases in this environment, exposing the organization to decreased morale, employee confusion, and potential litigation.
When management encounters the Pushover too frequently, then management will only seek out compliance and ethics professionals to rubber-stamp otherwise questionable or insubstantial decisions. A resulting pattern of patchwork compliance counsel that largely misses the breadth of business line decision-making spreads in this environment, exposing the organization to rogue players, overly-confident self-assessments, and potential litigation or criminal prosecution.
In short, know when to stand your ground and know when to stand down and let management carry on.
When our organization’s compliance & ethics culture is strong, visible, and active, then management and employees know that they can rely upon us to exercise good judgment in the face of ambiguity. Your good judgment is best understood within and across your organization when exercised judiciously. When you get to know your management colleagues, truly understand their business strategies and objectives, and defer to their expertise when compliance and ethical standards are being substantially met, you will earn that reputation for wise and judicious counsel.
When you weigh in on matters sparingly and appropriately, your organization will prosper ethically in your stead.
Thursday, April 4, 2013
Your Compliance & Ethics Function: Aligned, Not Maligned
Today, more than ever, your organization needs you. As a Chief Compliance & Ethics Officer navigating the increasingly complex regulatory landscape, your objectivity and expertise provide your board and senior leadership team with a beacon to guide them. Oftentimes you are viewed as the guardian at the gate.
While your colleagues and directors will likely embrace and support your role, your precautionary observations, and your recommendations, that enthusiasm does not always translate vertically throughout the organization. Members of your team may already have encountered the resistance that emerges when raising regulatory compliance, ethics or internal control concerns in the midst of deadline-driven projects. Not often do the profit center managers in our organization stand up and cheer our scrutiny and counsel when we review their proposed product and service offerings, marketing materials, and incentive compensation plans.
We do not further the compliance & ethics mission in our organization when our role is viewed in isolation as too far removed from the day-to-day goals and objectives of our organization. Let’s face it—our organization was most likely founded to obtain a for-profit or not-for-profit objective, not to support our compliance & ethics function.
Over the years I have identified some key steps that allow own compliance & ethics role to align tightly with the growth strategies and objectives that our organizations strive to implement. I refer to these steps as getting down into the MUD:
· Meet as many key managers at all levels in your organization as feasible. The more colleagues you become familiar with, the greater likelihood that your involvement will be sought out earlier in the planning, development, and execution of new programs, products, and initiatives.
· Understand genuinely the plans, imperatives, and metrics that drive key managers in your organization in their respective roles. When you truly understand the why, what and how of each division and department, then you will be better able to anticipate and address potential regulatory compliance, ethical, or internal control exposures.
· Defer to your operational colleagues when a decision does not require approval from you. Your credibility as Chief Compliance & Ethics Officer is strengthened when you resist the urge to exert your will upon every decision in a project, program, or product launch.
When we take the time to get to know our operational colleagues, understand their roles more fully, and defer to their subject-matter expertise, we will find that those same colleagues are much more likely to invite us to advise them regarding regulatory compliance, ethics, and internal control matters. Instead of being maligned as the killjoys at headquarters, let us become aligned with our shared organizational mission as we serve to safeguard it from foreseeable risks.
Thursday, March 28, 2013
Enterprise Risk Management: Captain Kirk Confronts the Final Frontier
When faced with the regulatory mandate to incorporate or improve your organization's enterprise (or enterprise-wide) risk management (ERM) process, we can sometimes feel like a Klingon confronting Tribbles. To succeed with ERM within our organization, we must instead adopt the attitude expressed by Captain James Kirk in the'Day of the Dove episode: "There's another way to survive. Mutual trust...and help."
Several years ago, the federal banking regulators set off on a mission to bring Enterprise Risk Management (ERM) to the forefront of financial institution governance expectations. In the ensuing years, state insurance regulators have joined the mission through the National Association of Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) model act. The topic continues to get considerable attention in recent regulatory guidance, including Federal Reserve Board (FRB) supervisory letters 12-7 and 08-8. The Federal Reserve Bank of Chicago (FRB-C) devoted considerable attention to the topic at its 2011 conference.
What appeared to be a distant risk management galaxy in the late 1990s has certainly become an oft-discovered governance imperative for financial institutions. As a financial industry executive, you know that you have been charged with the responsibility “to boldly go where no man has gone before.” Much like the voyage of the storied U.S.S. Enterprise, your voyage has taken you to strange new worlds as you have sought to develop or improve your ERM model.
When you have set out to build a robust risk management infrastructure to integrate, coordinate and facilitate forward-looking risk management throughout the enterprise, you invariable have encountered (or will encounter) skeptics. Captain Kirk addressed this challenge in the 'A Private Little War' episode: "The only solution is...a balance of power. We arm our side with exactly that much more. A balance of power...the trickiest, most difficult, dirtiest game of them all. But the only one that preserves both sides."
But make no mistake about it—ERM is not optional and is here to stay. Thus, we often will find ourselves educating senior leadership colleagues and independent directors about ERM, in parallel with obtaining the necessary data to build, enhance, and report upon our ERM model. ERM cannot simply become a once-and-done exercise that ends up on a binder on your credenza.
Building a culture around ERM involves acclimating leadership throughout the organization to a continuous reporting system that identifies and addresses emerging risks. Strategic initiatives and ongoing business planning are evaluated in light of current and emerging risks and incorporated into analysis and leadership and board decision-making. ERM becomes a discussion item on at least a weekly basis within the leadership team, and a standing agenda item for your board, often through an ERM committee. Reports are designed to be condensed, accurate and meaningful for decision-making.
Internal Audit and Compliance play key roles in the ERM process. The periodic review and validation of the model through targeted risk assessments must be conducted under the direction of the organization’s senior leadership to support the organization’s risk appetite.
Occasionally, Captain Kirk and his officers would find themselves enmeshed in a scene from Earth's pre-space travel history, yet the episode always ended with our beloved travelers safely back aboard the U.S.S. Enterprise. As your ERM model and methodology evolve, it is likely that the organization will also never return by the way that it arrived, because external variables will continually infiltrate the ERM model. Most notably, your organization’s ERM will remain under the scrutiny and be subject to the recommendations of your prudential regulator. There simply is no going back.
Continue to be the evangelist for sound enterprise risk management in your organization, devoting yourself to encouraging, educating and embracing your colleagues as you faithfully fulfill the ERM governance role entrusted to you. Much like Kir, may you live long and prosper in your role.
Wednesday, March 13, 2013
Forecasting the Digital Future: Avoiding a “Friend Request” from the FTC
The regulatory burden upon corporate social media strategy was further increased when the Federal Trade Commission (FTC) issued its revised .com Disclosures guidelines on March 12, 2013 (http://ftc.gov/os/2013/03/130312dotcomdisclosures.pdf). The original guidelines had been published in 2000, long before “dot com,” “smartphone,” and “social media” became household terms. This highly anticipated revision of the original document had been underway since May 2011, and appears to have been closely timed with the recent FFIEC social media rulemaking.
Guidelines are often drawn from successful FTC administrative actions against violators. While guidelines do not carry the weight of formal law, guidelines do define norms that will often trigger subsequent FTC regulatory investigations, and thus must be regarded by industry within the advertising risk management framework. That being said, the FTC admits that there is no set formula for a clear and conspicuous advertising disclosure. Don’t you relish ambiguity amidst federal regulation and potential for fines?
The FTC reiterates that general principles of advertising law apply online, but new issues arise almost as fast as technology develops and new issues have arisen concerning space constrained screens and social media platforms. No one would deny that most organizations intend for all of their advertising to fairly and accurately portray their products and services.
Complying with advertising law within the four corners of a typical print advertisement or within the storyboards of a video advertisement present a more limited range of challenges. The digital marketing frontier has introduced an infinite number of complex issues, including the more rapid evolution and retirement of technology hardware and software platforms. For example, many of us have become familiar with the rise of Apple and Android apps, even as app makers have decreased or eliminated the creation of BlackBerry apps.
Against this backdrop, the FTC places the burden of understanding and complying with the technological limitations of burgeoning online and mobile platforms upon the advertiser. Compliance monitoring and periodic internal audits should be embedded into your social media risk management strategy.
The major takeaways from this revised guidance as they apply to social media are:
· The FTC Act’s prohibition on “unfair or deceptive acts or practices” encompasses online advertising, marketing, and sales.
· Required disclosures must be clear and conspicuous.
· If an ad is viewable on a particular device or platform, any necessary disclosures should be sufficient to prevent the ad from being misleading when viewed on that particular device or platform.
· If a particular platform does not provide an opportunity to make clear and conspicuous disclosures, then that platform should not be used to disseminate advertisements that require disclosures.
The prescriptive and restrictive nature of the FTC’s guidance requires advertisers to develop and test advertisements across the rapidly-evolving landscape of mobile devices, including tablets and smartphones. Ignorance of emerging technologies will provide no corporate defense to an FTC-initiated action in light of the explicit expectations expressed in the March 2013 guidelines.
The guidelines are well-written and provide a robust appendix of sample advertisement do’s and don’ts. But social media strategists will need to maintain a constant technological vigilance as new web-enabled technologies come to market. Otherwise, don’t be surprised if you receive a “Friend Request” from a new friend at the Federal Trade Commission and learn an entirely new definition of “clear, conspicuous, and proximate”.
Wednesday, March 6, 2013
Strength and Sustainability: Collaborative Compliance Amidst Complexity
I simply do not have all of the answers. There, I have said it.
My simple statement sums up the collective admission of Compliance, Audit and Ethics professionals globally. The annual proliferation of domestic and international regulatory requirements continues to proceed at an ever increasing rate. When only a decade or two ago, a chief compliance officer might likely have understood the details of all regulatory responsibilities within his/her realm, many of us have now grown accustomed to reliance upon specialized colleagues to identify the details of specific branches within our own compliance universe. At least two easily recognizable trends have led to this reality: global commerce and systemic failure.
Global commerce has both driven and benefited from technological and economic advances throughout history. Progressing beyond the steamships that replaced clipper ships, the internet built upon the initial success of the transoceanic cables laid long ago. While local trade rules and customs remain, the international Law of the Sea has been joined by International Free Trade Agreements and transcontinental legal structures, most notably the European Union, where supranational legal structures both supplant and co-exist with domestic laws and regulations.
Systemic failures that have led to financial crises within nations as diverse as Greece, Ireland, Japan and the United States have resulted in the now-familiar remedies of International Monetary Fund austerity measures, the Third Basel Accord, and Dodd-Frank Wall Street Reform and Consumer Protection Act, to name a few examples. Regulators have sought to eliminate pathways to fraud, largess and market manipulation widely blamed for the global crises by promulgating lengthy and complex regulatory solutions.
Compliance professionals who once may have laid claim to comprehending and administering compliance programs involving an entire continent or nation have succumbed to a level of regulatory complexity that makes such independent mastery incomprehensible. Even for those of us who oversee primarily domestic compliance programs, international influences are now omnipresent in Dodd-Frank, the Bank Secrecy Act, FCPA and the U.K. Bribery Act of 2010.
At the end of the day, Compliance, Audit and Ethics professionals are exactly that—professionals. We do not simply throw our hands up and decry the unfairness of increasingly complex regulatory requirements. True to our nature, we seek to understand as much as possible about our responsibilities to fulfill those compliance requirements in conjunction with our organization’s core mission and objectives. But our inquiries and information gathering must extend beyond our own individual knowledge and planning. Today’s increasingly complex regulatory environment requires us to collaborate with colleagues both within our organizations and beyond.
I would propose that now is the time to build stronger, more sustainable Compliance Programs through intelligent collaboration. It must not be viewed as a sign of ignorance or laziness when we humbly and actively partner with fellow Compliance, Audit and Ethics professionals to ascertain best practices. Likewise, we must continue to embrace the business line leaders within our own organizations to build collaborative compliance solutions that fulfill our regulatory responsibilities without unnecessarily impeding daily operations and long-term strategies.
Effective Regulatory Compliance…we may not each be able to do it alone, but we can certainly do it more constructively together.
Monday, February 18, 2013
An Invitation to Connect: The FFIEC Embraces Social Media Regulation
Financial Institutions in the United States have a new “friend” to contend with in their social media circle.
Given the exponential increase in the influence social media has had upon the financial institution landscape in recent years, compliance professionals could have anticipated the recent Federal Register notice. On January 23, 2013 the Federal Financial Institutions Examination Council (FFIEC), composed of the OCC, the Federal Reserve Board of Governors, the FDIC, the NCUA, the CFPB and the State Liaison Committee (“the Agencies”) jointly issued proposed guidance for public comments to be received by March 25, 2013.
This broad-based guidance proposes to address the applicability of federal consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as by nonbank entities supervised by the Consumer Financial Protection Bureau.1 Viewed in the broader context of enterprise risk management, the Agencies are seeking to ensure that all supervised financial institutions are effectively assessing and managing risks associated with activities conducted via social media. Specifically, the financial institutions will be expected to incorporate consumer compliance and legal risks, as well as reputation and operational risks associated with social media activities into their governance structure.
The FFIEC’s entry into social media regulation will likely be met with mixed reviews by financial industry compliance professionals. While many organizations have sought to craft policies and procedures to address this multifaceted communication phenomenon, other organizations have struggled with developing a consensus around how to approach social media governance. For organizations that have yet to create or adequately revise social media policies and procedures to encompass its growing importance to commerce, the FFIEC action may provide the impetus that Chief Compliance Officers can leverage to guide corporate boards and C-suite executives to create a social media governance structure.
I read the proposed guidance with great interest. I had expected the FFIEC to provide guidance regarding a financial institution’s active use of social media in its business and by its employees, both in their capacity as employees as well as off-duty. The proposed guidance directly addresses the Compliance and Legal Risks posed by social media with regard to deposit and lending products, payment systems, anti-money laundering and financial privacy. The regulation of an active social media presence clearly reflects the consumer protection best practices that an organization would apply to its other outbound channels, including print, television, and radio marketing, as well as authorized corporate communications.
The portion of the proposed guidance that I found even more insightful was the Reputation Risk topics the FFIEC chose to explicitly consider. Some executives offer the opinion that if their organizations don’t actively foster a social media identity, then the need for social media governance is eliminated. The FFIEC instead acknowledges that even an organization that chooses to forgo promoting an active social media presence is subject to the risks that can be thrust upon an organization by the public. Noting that reputation risk is the risk arising from negative public opinion, the proposed guidance delves into the realm of dissatisfied consumers and negative publicity that can cause significant harm to a law-abiding financial institution. In addition to Fraud and Brand Identity and Third Party Concerns, the FFIEC directly addresses a financial institution’s affirmative obligation to monitor Consumer Complaints and Inquiries initiated via social media.
In an economy overflowing with consumers clamoring to ensure that “there’s an app for that,” financial institutions have worked actively to develop social media channels to harness consumer demand to varying degrees. Additionally, those same consumers who routinely update their social networks (both personal and professional) from their smartphones while waiting for the train or purchasing a latte’, will also launch a Twitter rant or a scathing and aptly-named blog post about your organization before they’ve left your premises. This proposed guidance, which will likely receive many comments before being issued in its final form, is going to eventually become part of your prudential regulator’s examination process.
I would propose that now is the time to address your organization’s social media governance process. Working with your board of directors and your senior leadership colleagues, you can assess the current status of your policies and procedures; identify and address perceived gaps; and provide appropriate guidance to employees within your organization before the regulators arrive to test your practices. Action now will likely ensure that your regulator hits the “Like” button later.
Monday, February 11, 2013
COMPLIANCE NEVER SLEEPS
Ever so slowly a consensus appears to be emerging that the economy has been improving in the United States. Though some economic indicators, including the unemployment rate and consumer sentiment, remain stagnant, we are witnessing a rebound in private sector hiring, new construction, and equities investing. Equity is returning to homeowners and mortgage refinancing has returned. Innovation continues to flourish across industries.
And the imperative for vigilant corporate compliance programs and professionals has never been greater.
Lest you brand me a killjoy at the party of renewed American prosperity, let me encourage you to pause and reflect upon the post-recessionary periods of the past several decades.
When organizations emerge from the austerity and uncertainty of a recession, like action movie survivors emerging from a post-apocalyptic underground bunker, leaders seek to return to the familiar and comfortable patterns of pre-recession growth. We want to sell things. We want to build things. We hire people and purchase systems and tools to do both. And we want to do it quickly to make up for lost time and to satisfy pent-up consumer demand.
I propose that, as leaders, we should also pause to reflect upon the patterns and practices that led to the recession in the first place. On a microeconomic level, the organizations whose actions precipitated the recessionary events often succumbed to false notions of success built upon skewed compensation plans, short-term corporate financial results, and process or quality breakdowns. While the industries may change from financial crisis to financial crisis, the factors that string the past two decades’ mortgage banking, energy trading, and technology busts together are not very dissimilar.
So, what is the difference between the company that succumbs and the company that succeeds over the long term in the very same industry? I would conclude that it rests upon universal adherence to an unwavering compliance program. Like guardians at the gate, the joint efforts of Compliance, Audit, Security, and Ethics professionals stand firm against cultural shifts within some organizations that allow foundations to crack.
As we move beyond this most recent recession into our blossoming period of prosperity, I encourage you to take a moment to re-evaluate your investment in your organization’s compliance program. Even as you bolster production and sales efforts to meet consumer demand, bolster compliance resources within the organization.
· Publicize your Code of Conduct and Ethics Hotline.
· Revisit traditional and emerging high-risk areas of compliance and control exposure.
· Renew your leadership commitment to the truth that your corporate compliance program is a competitive advantage.
Preparing your compliance program today to withstand the inevitable recession of tomorrow will ensure long-term prosperity for your organization.
Subscribe to:
Posts (Atom)